Adam McKenna <adam@debian.org> wrote:
>
> No, sorry. Every box connected to the internet does not need a stateful
> firewall in front of it. This is an idea that has been propagated by the
> clueless "security admin" world in order to sell more Checkpoint licenses.
Wrong. Have you never heard of multiple levels of security?
> A web server box running Apache and SSH (only) can be adequately protected by
> tcp wrappers if they're configured correctly. (IE, using IP-based access
> rules.)
s/configured correctly/configured correctly and contain no vulnerabilities/
That bit about no vulnerabilities is important. Don't rely on just one
method of stopping attacks, because eventually someone will find a way
around it.
Would you rely solely on an access control directive in Apache to protect
your server from nasty people? I wouldn't. That leaves you open to any
vulnerability found in header parsing or the request-response mechanism in
Apache.
Maybe TCP-wrappers will become vulnerable to some attack. Then your IP-based
access lists are moot.
The TCP stack itself in your web server may be vulnerable to attack, in
which case the attack won't even get as far as TCP-wrappers.
The best approach to security is to protect yourself from attacks at all
these levels.
You seem to show a fundamental lack of understanding of how to properly
secure a machine connected to the Internet.
--
Sam Couter | Internet Engineer | http://www.topic.com.au/
sam@topic.com.au | tSA Consulting |
OpenPGP key ID: DE89C75C, available on key servers
OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C